studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(ory): replace hardcoded DSN + secrets with OpenBao DB engine + VSO

Browse Source 
All Ory service credentials now flow from OpenBao through VSO instead
of being hardcoded in Helm values or Deployment env vars.

Kratos:
- Remove config.dsn; flip secret.enabled=false with nameOverride pointing
  at kratos-app-secrets (a VSO-managed Secret with secretsDefault,
  secretsCookie, smtpConnectionURI).
- Inject DSN at runtime via deployment.extraEnv from kratos-db-creds
  (VaultDynamicSecret backed by OpenBao database static role, 24h rotation).

Hydra:
- Remove config.dsn; inject DSN via deployment.extraEnv from hydra-db-creds
  (VaultDynamicSecret, same rotation scheme).

Login UI:
- Replace hardcoded COOKIE_SECRET/CSRF_COOKIE_SECRET env var values with
  secretKeyRef reads from login-ui-secrets (VaultStaticSecret → secret/login-ui).

vault-secrets.yaml adds: VaultAuth, Hydra VSS, kratos-app-secrets VSS,
login-ui-secrets VSS, kratos-db-creds VDS, hydra-db-creds VDS.
This commit is contained in:
Sienna Meridian Satterwhite
2026-03-02 18:32:33 +00:00
parent 580eb3983e
commit c7b812dde8
5 changed files with 167 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
base/ory/kratos-values.yaml
View File

@@ -1,13 +1,12 @@
# Base Ory Kratos Helm values.
# DOMAIN_SUFFIX is replaced at apply time via sed.
# DSN is set in config (chart renders it into kratos-secrets Secret automatically).
# DSN and secrets come from K8s Secrets managed by VSO VaultDynamicSecret/VaultStaticSecret.
kratos:
automigration:
enabled: true
config:
version: v0.13.0
dsn: "postgresql://kratos:localdev@postgres-rw.data.svc.cluster.local:5432/kratos_db?sslmode=disable"
selfservice:
default_browser_return_url: https://auth.DOMAIN_SUFFIX/
@@ -54,12 +53,21 @@ kratos:
admin:
base_url: http://kratos-admin.ory.svc.cluster.local:4434/
# Chart creates kratos-secrets from Helm values (dsn + generated random secrets).
# Chart does not manage secrets — we create them externally via VSO.
# secret.nameOverride points chart at our VaultStaticSecret-managed K8s secret so
# the chart injects SECRETS_DEFAULT/SECRETS_COOKIE from kratos-app-secrets automatically.
# DSN is not injected by the chart when secret.enabled=false — we add it via extraEnv.
secret:
enabled: true
nameOverride: kratos-secrets
enabled: false
nameOverride: kratos-app-secrets
deployment:
extraEnv:
- name: DSN
valueFrom:
secretKeyRef:
name: kratos-db-creds
key: dsn
resources:
limits:
memory: 64Mi